IPv 6 Fundamentals Tim Chown Jisc HEP SYSMAN

IPv 6 Fundamentals Tim Chown (Jisc), HEP SYSMAN Meeting, RAL, 13 Jun 2017 tim. chown@jisc. ac. uk

IPv 4 status (exhaustion!)

40 years of IP networking » IPv 4 has lasted some 40 years or so » In the 1970’s IP networking was just an ‘experiment’ › A handful of computers taking part » The designers chose to use 32 bits for IPv 4 addresses › 4. 3 billion (2^32) addresses is enough for an experiment, right? › A quite reasonable decision at the time by Vint Cerf and Bob Khan. » IPv 4 address notation was agreed › Addresses written in the ‘dotted quad’ form, e. g. , 192. 0. 2. 1 » Today, with Io. T and other IP growth areas, 32 bits is clearly not enough IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 4 address space status – exhausted! » The IANA IPv 4 global address pool was exhausted in Feb 2011 › There is no new, unused IPv 4 address space left to give to RIRs » The Regional Internet Registries (RIRs) have varying levels of reserves of address space › APNIC and RIPE NCC are on their last /8, and rationing heavily › ARIN ran out completely in September 2015 » RIPE NCC is using a ‘Last /8’ policy: this means the max IPv 4 allocation is a /22 (1, 024 addresses) › So ISPs (including Jisc) have no new supply of significant address space from their RIR › Jisc can no longer give (say) a /20 to a new university › But existing IPv 4 deployments still work, of course; the sky has not fallen (yet) » See http: //www. potaroo. net and http: //ipv 4. potaroo. net for many, many charts › Excellent resource maintained by Geoff Huston IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 4 Allocations over time by IANA IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 4 run-out projection IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Address exhaustion » What are the impacts of IPv 4 address exhaustion? IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Impact of IPv 4 address exhaustion? » Includes: › Some organisations may possibly be “encouraged” to return addresses › Increased address space trading/leasing – market at $10/IP or more › Increased use of NAT › › – True end-to-end networking difficult, or impossible – Increased complexity in network management – Accountability issues, potential for overlapping private address space Introduction of Carrier Grade NAT by ISPs – Home DSL router has an ISP-private IP on its ‘public’ interface – Can be recognised by use of reserved 100. 64. 0. 0/10 prefix (RFC 6598) – Likely to have a negative impact on applications, esp. inbound Use of other forms of address sharing – Customers might get an address and a range of port numbers to use IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 Protocols

IPv 6 features? » The solution to IPv 4 exhaustion is IPv 6 » NAT has bought us some time, and is now widely deployed in most home networks, and » many SME and enterprise/campus networks NAT has an adverse effect on network operations, especially end-to-end » But what IPv 6 features or benefits are you aware of already? › Thoughts? IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 features » Key new features of IPv 6 › 128 -bit address space › Host autoconfiguration through “Stateless Address Autoconfiguration” (SLAAC) › SLAAC allows devices to generate their own IP address without a DHCP server » Implicit features › LOTS of addresses – so no need to use host-based NAT » Over-hyped (and not really true…) › Improved Qo. S › Improved security IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Aside: about IP protocols and standards » The Internet works thanks to use of commonly agreed protocols » The Internet Engineering Task Force (IETF) develops IP-related protocols (amongst other protocols higher up the stack) › Meets three times annually, and uses mail lists › Operates by consensus in Working Groups › Any individual can write an Internet draft › Internet draft documents discussed and progressed if supported through WG › adoption to RFC status if published Now over 8, 000 RFCs published » See http: //www. ietf. org IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

The IPv 6 core protocol » IETF work began in the mid-1990’s on the protocol that became IPv 6 » Led to publication of RFC 2460 in 1998 › This core specification has remained largely unchanged for nearly 20 years – Except for some security-specific updates – Undergoing a (minor) revision this year, largely to include pointers to more recent › and relevant RFCs (see draft-ietf-6 man-rfc 2460 bis-13) Defines header format, including 128 -bit addresses, and packet processing » The IPv 6 address format is defined in RFC 4291 › Describes what the addresses look like › (This RFC has been updated once, and is getting a refresh alongside RFC 2460 -bis) IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

The IPv 6 address format » An IPv 6 address is 128 bits › But how do we write an IPv 6 address? › Using dotted decimals like IPv 4 would be very long! » It was agreed that addresses are written as eight sets of four hexadecimal characters, e. g. › 2001: 0 db 8: 0000: baad: cafe: 1234: 5678 » To abbreviate, you can omit any leading zeros › 2001: db 8: 0: 0: baad: cafe: 1234: 5678 » And you can replace one series of : 0: fields with : : › 2001: db 8: : baad: cafe: 1234: 5678 › … why only one? IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Example 1… » How can you abbreviate the following IPv 6 address? › 2001: 0 db 8: 0000: 0000: 0 c 50 › A. › B. › C. › D. 2001: 0 db 8: 0: 0: 0 c 50 2001: 0 db 8: : 0 c 50 2001: db 8: : c 5 › (taken from http: //www. ripe. net/lir-services/training/material) IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Example 2… » How can you abbreviate the following IPv 6 address? › 2001: 0 db 8: 0000: b 450: 0000: 00 b 4 › A. › B. › C. › D. 2001: db 8: : b 450: : b 4 2001: db 8: : b 450: 0: 0: b 4 2001: db 8: : b 45: 0000: b 4 2001: db 8: 0: 0: b 450: : b 4 Note: 2001: db 8: : /32 is the reserved IPv 6 documentation prefix IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Breaking an address down » IPv 6 allocations are made through the RIRs just as they are (or were!) for IPv 4 › The default IPv 6 allocation to an ISP is a /32 IPv 6 prefix, e. g. Janet has 2001: 630: : /32 › A larger ISP, such as Sky UK, can obtain a larger block of address space » A typical prefix breakdown for a university site might be: IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Site IPv 6 prefixes » As stated, the default allocation for a site, such as a campus, is a /48 IPv 6 prefix › In practice, a home network may get less, e. g. , a /56 » Such prefixes are Provider Assigned/Aggregated (PA), from the ISP › This means if a customer changes ISP, they will be given a new, different prefix › Which means the customer will have to renumber » RIRs also offer Provider Independent (PI) allocations › These are /48 in size › See https: //www. ripe. net/publications/docs/ripe-684, which describes the policy › Good for customers, but will cause larger global IPv 6 routing tables » Or you can apply to become a Local Internet Registry (LIR), and receive a /32 › QMUL and UCL have done this IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 Address Types » There are two general classes of IPv 6 addresses » Unicast › Same as IPv 4, but with the addition of link-local addresses › More on those in a moment… » Multicast › › › Inherent to the IPv 6 protocols, in particular Neighbour Discovery (ND) (RFC 4861) All multicast addresses fall under ff 00: : /8 IPv 6 does not have an IP subnet broadcast addresses It uses link-local multicast within subnets instead So beware any (very) old hub/switch devices IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 unicast address scopes » Global addresses › Unique globally, routed globally. Just like IPv 4. » Unique Local Addresses (ULAs) (RFC 4193) › › Used within a site, not routed externally Uses reserved prefix under fc 00: : /7 The other prefix bits are random to make a /48 prefix that is probabilistically unique for the site A bit like IPv 4 RFC 1918 private addresses, but not designed to be used with NAT » Link-local addresses › Unique on a subnet, not forwarded by routers › Uses reserved prefix under fe 80: : /10 › A bit like IPv 4 169. 254. 0. 0/16 space (RFC 3927) IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Multiple IPv 6 addresses per host » So in IPv 6, hosts are usually multi-addressed › Invariably with at least a link-local IPv 6 and a global IPv 6 address » ULAs may be used as well as global addresses › Offers stable internal addressing for a site if your global prefix changes › Devices inside a routed site can prefer to use their ULA addresses › Again, they are NOT designed to be used for IPv 6 NAT » Currently it seems that no universities are using ULAs › Existing IPv 6 deployments use global addresses provided by Jisc » ULAs have been proposed for some uses, e. g. in IPv 6 homenets › The ISP prefix is more likely to change in those scenarios, so internal address stability is desirable IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Picking addresses: IPv 6 Address Selection » Defined in RFC 6724 › Updates original guidance in RFC 3484 » Used to allow a host to – for example – pick an appropriate source address to use with a given destination address › Match scopes where possible › e. g. it should use a ULA source to talk to a ULA destination › Do not use a link-local source to talk to a global destination (why? ) » However, the multiple address issue is also a challenge for network management and monitoring › Tracking which addresses belong to which devices › Eric will likely mention this later; if not, ask him IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

The loopback address… IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 Neighbour Discovery protocol » IPv 6 employs a suite of protocols known as ‘Neighbour Discovery’, which take the form of either link-local unicast or link-local multicast ICMPv 6 messages » Nodes can send Router Advertisement (RA) messages, to let hosts know about various properties of the link they serve » Nodes can send Router Solicitations to request any routers to send an RA » Neighbour Solicitation (NS) and Neighbour Advertisement (NA) messages provide the equivalent of the IPv 4 ARP function (i. e. , IP to MAC address lookup) » Router Redirects can be sent to a host to tell it about a better first-hop router to get to a destination IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 packet headers » IPv 6 by design streamlines the main IP header › So the IPv 6 header has less fields than the IPv 4 header › The header is also now a fixed size › The header is still longer though, due to the 128 -bit addresses » For additional functions/options, IPv 6 uses optional Extension Headers, inserted by the sender between the main header and the payload › Used when needed, e. g. for fragmentation, or IPsec › So you will see a ‘chain’ of main header, optional headers, then the payload › In most cases, you just see the main header and payload IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 4 packet header format IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 packet header format IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 4 compatibility? » IPv 6 is a new IP protocol, with 128 bit addresses » The packet headers are clearly different » IPv 6 is thus not directly compatible with IPv 4 » An IPv 4 -only device therefore cannot send an IPv 4 packet directly to an IPv 6 device » We’ll return to how this issue is handled later on when we look at IPv 6 transition / integration with IPv 4 » Devices can however run both IPv 4 and IPv 6 together (known as dualstack), and then choose which protocol to use IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

More on IPv 6 Extension Headers » Indicated by Next Header field, e. g. : › › › Hop-by-hop header Destination options header Routing header Fragmentation header Authentication and ESP headers » In principle, new Extension Headers can be defined » In practice, firewall implementations can make this problematic, as they drop unknown header types, which new headers will be » Experiments have shown that packets with certain IPv 6 EHs may be dropped by various devices in access networks, or by site firewalls (see RFC 7872) › Not a problem for ‘normal’ traffic IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Handling fragmentation in IPv 6 » Fragmentation in IPv 6 is only performed by the end hosts › Uses the optional IPv 6 fragmentation header › Fragmentation is not performed by routers in the network » Thus hosts must be able to establish the path MTU › Implies the ICMPv 6 messages used for PMTU discovery must not be filtered › See RFC 4890 for ICMPv 6 filtering recommendations › Don’t just blindly drop all ICMPv 6 traffic at your site border! » IPv 6 links must have an MTU of at least 1280 bytes › For Ethernet, the MTU will usually be 1500 bytes › You may have scenarios where you want to exploit a larger MTU, e. g. 8192 or 9000 IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Address allocation and management » We’ve seen what IPv 6 packets look like, and the format of an IPv 6 address » We now need methods to › Get allocations of IPv 6 address blocks to use within our site › – As seen earlier, the Janet Service Desk allocates /48 s to Janet-connected sites Decide the method of configuring addresses on hosts in our site IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Configuring IPv 6 hosts » Given an allocation, there are two choices for configuring hosts › (in addition to manual configuration, if you prefer that) » DHCPv 6 › Largely similar to DHCPv 4 › Familiar model, arguably helps to support accountability › Stateful – the server holds lease information for each address used by a host » Stateless Address Autoconfiguration (SLAAC) › Defined in RFC 4862. New for IPv 6. Allows hosts to essentially pick their own address. › Introduces new management challenges › Still requires stateless DHCPv 6 for additional configuration parameters, e. g. NTP server IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 Autoconfiguration » IPv 6 nodes can use SLAAC to determine their › IP address › Default gateway › (Optionally) DNS resolver » SLAAC works by routers sending link-local multicast Router Advertisement (RAs) » An RA message contains information that may include: › › › On-link prefix(es), with preferred/valid lifetimes The link Maximum Transmission Unit (MTU) ; typically 1500 for Ethernet An indication of the availability of DHCPv 6; M = stateful DHCPv 6 available, O = stateless DHCPv 6 available A-flag; A = 1 means configure address with SLAAC; A = 0 means do not configure address with SLAAC (Optional) DNS resolver information (RFC 8106) IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

RA operation » The Router Advertisement is multicast on the local subnet › Its (link-local) source address implies the default router address › SLAAC works by appending a 64 -bit Extended Unique Identifier (EUI-64) interface identifier to the 64 -bit network prefix to form the host’s 128 -bit IPv 6 address › The EUI-64 interface identifier is formed by taking the 48 -bit MAC address and inserting 16 -bits of padding (‘fffe’) in the middle, and then toggling the ‘universal’ bit. IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Autoconfiguration example » For example: › Host MAC address = 08: 00: 20: 9 c: 14: 66 › Network prefix = 2001: 630: 80: 2: : /64 › Address = 2001: 630: 80: 2: 0 a 00: 20 ff: fe 9 c: 1466 » Note: › The 48 -bit MAC address requires the 16 -bit ‘fffe’ padding to build a 64 -bit EUI › The universal/local bit is inverted (hence ‘ 0 a’) › Key principle is to form the address by using the prefix from the RA appended with the device’s MAC address (with the padding) to form the 128 -bit IPv 6 host address » SLAAC means all IPv 6 hosts use 64 -bit links; i. e. every host network is a /64 » See RFC 7421 for more discussion of “Why 64 bits? ” IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Privacy concerns with SLAAC…? » A host autoconfiguring in different visited networks could be traced by its fixed 64 -bit interface identifier (IID) › i. e. , the last 64 bits would be the same wherever the device appeared » So the IETF defined IPv 6 privacy addressing (RFC 4941) › Randomly generate the 64 -bit host part when attaching to a network › And a host may also change its privacy address periodically even if not changing subnets; typically every 24 hours (e. g. , as with MS Windows) » Privacy addresses are good for users, but complicate network management › Which addresses belong to which hosts? › More multi-addressing! IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Privacy addresses and logging So, how many hosts do you really have? RFC 4941 says you can change your privacy address as little as every 10 minutes IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Linux configuration example Run ifconfig eth 0 Link encap: Ethernet HWaddr 00: 30: 48: 76: 53: 14 inet addr: 152. 78. 71. 152 Bcast: 152. 78. 71. 255 Mask: 255. 0 inet 6 addr: 2001: 630: d 0: f 110: 230: 48 ff: fe 76: 5314/64 Scope: Global inet 6 addr: fe 80: : 230: 48 ff: fe 76: 5314/64 Scope: Link UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1 RX packets: 795291388 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 710162840 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 100 RX bytes: 3111500779 (2. 8 Gi. B) TX bytes: 1177068949 (1. 0 Gi. B) IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Windows configuration example Interface 4: Ethernet: Local Area Connection uses Neighbor Discovery uses Router Discovery link-layer address: 00 -00 -cb-68 -0 b-2 e preferred global 2001: 630: d 0: 112: 309 e: 3 ba 9: d 0 df: 1 afc, life 57 m 25 s/27 m 25 s (temporary) deprecated global 2001: 630: d 0: 112: cc 4 e: 835 c: 7 e 1 b: e 482, life 57 m 25 s/0 s (temporary) deprecated global 2001: 630: d 0: 112: f 4 c 5: 398 e: b 5 f 3: bf 58, life 57 m 25 s/0 s (temporary) deprecated global 2001: 630: d 0: 112: 88 bd: 46 d 0: b 997: 6 dc 4, life 57 m 25 s/0 s (temporary) deprecated global 2001: 630: d 0: 112: e 07 c: fe 6 b: a 58 a: 1608, life 57 m 25 s/0 s (temporary) deprecated global 2001: 630: d 0: 112: b 4 dc: cfc 5: c 6 a 7: 3724, life 57 m 25 s/0 s (temporary) deprecated global 2001: 630: d 0: 112: 1 ca 9: c 9 b: 849 e: 7869, life 57 m 25 s/0 s (temporary) preferred global 2001: 630: d 0: 112: 200: cbff: fe 68: b 2 e, life 57 m 25 s/27 m 25 s (public) preferred link-local fe 80: : 200: cbff: fe 68: b 2 e, life infinite Temporary addresses are IPv 6 Privacy Addresses These change over time – default of a new Privacy Address every 24 hours on Windows A host also has a standard SLAAC-based global IPv 6 address, may be DNS-registered if running services Privacy addresses are only used for initiating connections from a host IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

New: stable, per-prefix Interface IDs » RFC 7217 has recently defined an alternative to MAC-based SLAAC addresses » Still uses the RA for address generation, but no longer appends an EUI-64 » Instead, RFC 7217 generates Interface IDs that are stable for any given visited subnet (i. e. , per /64 network prefix used) › Uses a hashing method on the prefix to build the Interface ID › So you get the same last 64 bits in your address whenever you attach to a subnet using the same prefix, without exposing your MAC address » May be used independently of IPv 6 Privacy Addressing, i. e. typically you would: › Use classic SLAAC, with or without Privacy addresses › Or use RFC 7217 -based SLAAC, with or without Privacy addresses » Windows 10 seems to be using RFC 7217; other OSes likely to follow IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Using DHCP for IPv 6 » IPv 6 has two variants of DHCPv 6 » Full stateful DHCPv 6 (RFC 3315; currently undergoing a refresh) › Includes IPv 6 address lease support, as per DHCP for IPv 4, i. e. , the DHCPv 6 server › › maintains state on the IPv 6 addresses leased to hosts Supported in common platforms, including the popular ISC DHCP The only exception, unfortunately, is Android – see https: //code. google. com/p/android/issues/detail? id=32621 » Stateless DHCPv 6 (RFC 3736) › For use with SLAAC › Used for additional configuration info only, like NTP server, or search domain IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

DHCPv 6 considerations » DHCPv 6 uses new DHCP Unique Identifiers (DUIDs) › DUIDs aren’t known a priori like Ethernet/MAC addresses › May be a concern if you want to link IP addresses to MAC addresses by DHCP › But there are some large-ish DHCPv 6 deployments out there, e. g. at CERN, for whom this was not a concern » In practice, in an enterprise / campus deployment, clients will speak to a DHCP server via a DHCP relay running on a router › Thus the IETF has introduced RFC 6939 to allow MAC addresses to be › › included as a DHCPv 6 option, and forwarded by DHCPv 6 relays Support demonstrated in Ubuntu, Cisco IOS and ISC DHCP Other platforms following IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

RAs are still required if you use DHCPv 6 » Why? » The RA is the only way a host can learn its default gateway › There is no DHCPv 6 Default Gateway option › DHCPv 6 also has no option for on-link prefix(es) » Therefore all IPv 6 networks must use RAs › And consider their security implications › For example, hosts can send rogue RAs, “accidentally” or maliciously » Note that rogue RAs can also be an issue on “IPv 4 only” networks › More on this from Eric later. . . IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Addressing on point to point links » There’s been discussion over the prefix length to use for point-to-point › /64, /126 or /127? » Some concerns with using /64 › Address space ‘wasted’ › Possible ‘ping pong’ attacks (packet to an unused address bounces between routers) › Possible ND cache exhaustion attacks » IETF now recommends /127 for point-to-point links › See RFC 6164 › Can still allocate a /64 if you want to though IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 routing » New versions of familiar protocols have been defined › › Multiprotocol BGP (RFC 2545) IS-IS (RFC 5308) OSPFv 3 (RFC 2740) RIPng (RFC 2080) » Most campuses/enterprises probably run OSPFv 2 or IS-IS › Can run OSPFv 2 alongside OSPFv 3 › Note: Various platforms don't support multi-AF OSPFv 3 yet, so using OSPFv 3 › › for both protocols perhaps premature Do request feature parity in procurements though! Opportunity to migrate to IS-IS if not using it IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Activity: A quick live demonstration A glance at IPv 6 in action IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

A quick IPv 6 hands-on » A quick example… » Using a remote ssh login at Southampton IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Differences to IPv 4 – a summary

IPv 6 key differences IPv 4 IPv 6 Address length 32 bits 128 bits Prefix length Varies, typically /24 Always /64 in host subnets Address configuration DHCPv 4 Stateless Autoconfiguration DHCPv 6 Addresses used Private or Global Link-local and Global Address resolution ARP Neighbour Solicitation / Advertisement Host Path MTU Discovery Optional Required Fragmentation By hosts or routers Only by hosts Private addressing RFC 1918 Unique Local Addresses (ULAs) (not designed for use with NAT) IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 4/IPv 6 integration

Scenarios » There are many scenarios where IPv 4/IPv 6 integration tools and solutions are required, e. g. : › A user on a dual-stack host (laptop) on an IPv 4 -only ISP (e. g. a wireless hotspot) wants to access remote IPv 6 services › Connecting IPv 6 networks which only have IPv 4 connectivity between them › An IPv 6 -only system needs to talk to a ‘legacy’ IPv 4 -only system – A realistic scenario on newly deployed access networks – A common scenario on mobile phone networks IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

General approaches » Tunnels / encapsulation › Sending IPv 6 packets over IPv 4 -only infrastructure » Translation › Used between IPv 6 -only and IPv 4 -only nodes › Can be done at application, transport or IP layer › (NAT 64/DNS 64/464 XLAT not covered today – but can discuss if wanted…) » Dual-stack › Instead, choose to run both protocols › Can talk IPv 4 to IPv 4 -only networks and IPv 6 to IPv 6 -only ones › Application chooses which to use, e. g. , based on sorting DNS query responses IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 tunnels over IPv 4 » IPv 6 packets encapsulated as the payload of IPv 4 packets » Typical usage › Connect a user with a dual-stack device on an IPv 4 -only ISP to IPv 6 services (still common) › Connect IPv 6 networks over an IPv 4 path (increasingly rare) » Thus tunnels can be › Host-to-router › Router-to-router » May be set up manually or automatically IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Tunnel addressing example IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Manually configured tunnels » Easy to set up and configure » Good management potential › An ISP configures the tunnels, so controls deployment, and is fully aware of customer › › › demand Used historically by on Janet to connect sites running pilots; tunnel from dual-stack site router to Janet tunnel server Jisc now prefers you use the native IPv 6 they deliver to your door I’d assume most Grid. PP sites have native IPv 6 connectivity to Janet » Your users may be interested in IPv 6 access from home or other IPv 4 only networks › This is a scenario served well by tunnel brokers IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Tunnel brokers » Tunnel brokers have proven quite popular over time › › In Europe the best example is www. tunnelbroker. net Reportedly well over 100, 000 users at its peak Good way to get IPv 6 experience at home, if your ISP lacks IPv 6 support Not for use to connect campus sites » General mode of operation: › › User/client registers with broker service, e. g. via a web page Tunnel requested by user from their IPv 4 address Broker tunnel server sets up its end of the tunnel User/client configures client end of tunnel, e. g. by executing a script IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Tunnel broker architecture IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Dual-stack IPv 4/IPv 6 » Already hinted at › Run both protocols on hosts and routers – IPv 6 support is now strong on all mainstream platforms › Let applications/services decide which to use › Aim to allow IPv 4 -only or IPv 6 -only nodes to function fully › A stepping stone to IPv 6 -only operation » Implies › All network/host/application elements support IPv 6 › IPv 6 -capable security components are available › IPv 4 must not be adversely affected – requires IPv 6 functions to be implemented in › hardware as per IPv 4 But this is all very possible today IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Choosing the protocol » In a dual-stack network the choice of protocol used is application specific › Applications use DNS to resolve names to IP addresses › DNS may return IPv 4 (A) and/or IPv 6 (AAAA) responses › Application may sort these as it wishes, and favour IPv 4 or IPv 6 » If IPv 6 is preferred, you must be confident about the performance / robustness of your IPv 6 connectivity › Users will notice connection issues, evidenced as timeouts before falling back to use IPv 4 › This was a concern a few years ago, but not so valid today – witness all DNS root servers are › now available via IPv 6 Browsers typically implement ”Happy Eyeballs” (RFC 6555) to mitigate poor performance IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Aside: DNS root servers a. root-servers. net. b. root-servers. net. c. root-servers. net. d. root-servers. net. e. root-servers. net. f. root-servers. net. IN g. root-servers. net. h. root-servers. net. i. root-servers. net. IN j. root-servers. net. IN k. root-servers. net. l. root-servers. net. IN m. root-servers. net. IN IN IN A AAAA IN IN A AAAA A AAAA A AAAA 198. 41. 0. 4 2001: 503: ba 3 e: : 2: 30 192. 228. 79. 201 2001: 500: 84: : b 192. 33. 4. 12 2001: 500: 2: : c 199. 7. 91. 13 2001: 500: 2 d: : d 192. 203. 230. 10 2001: 500: a 8: : e 192. 5. 5. 241 2001: 500: 2 f: : f 192. 112. 36. 4 2001: 500: 12: : d 0 d 128. 63. 2. 53 2001: 500: 1: : 803 f: 235 192. 36. 148. 17 2001: 7 fe: : 53 192. 58. 128. 30 2001: 503: c 27: : 2: 30 193. 0. 14. 129 2001: 7 fd: : 1 199. 7. 83. 42 2001: 500: 3: : 42 202. 12. 27. 33 2001: dc 3: : 35 IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Translation approaches » Required if you want to access IPv 4 -only content from an IPv 6 -only device › e. g. , in an IPv 6 -only access network » Solutions are NAT 64 / DNS 64 / 464 XLAT › Where DNS is used, a DNS 64 resolver ‘tricks’ a client into believing it’s sending to an IPv 6 destination, by translating the IPv 4 destination into an IPv 6 address › Without DNS (IPv 4 literals), clients can do translation through 464 XLAT » These are widely used by mobile operators › i. e. , people selling real services that depend on it » For EE example in UK, see a UKNOF talk by Nick Heatley: › https: //www. youtube. com/watch? v=l. Kyu. Q 8 mb_GE › https: //indico. uknof. org. uk/event/38/contribution/8/material/slides/1. pdf IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

EE IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

IPv 6 deployment in practice

First - reasons to deploy IPv 6? » What are the drivers for your university to deploy IPv 6? » IPv 4 address space is under pressure, but established universities and research organisations quite commonly have an old Class B /16 IPv 4 address block » They may, or may not, be running short of address space, e. g. for eduroam » Why else might a university/college, or any other organisation, deploy IPv 6? » (In the Grid. PP case, your community has decided IPv 6 is important, but to use it you’ll presumably need support from your university or organisation to deploy it) » Thoughts? IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Some reasons to deploy » To support teaching and research » Turn on IPv 6 on public-facing servers to simplify the ability of emerging IPv 6 -only » » access networks to communicate with you › And thus avoid translation in the network (NAT 64, etc) To manage IPv 6 as a security measure › All common IP devices have IPv 6 support, and usually on by default Gain experience in IPv 6, to understand how to specify procurement requirements › Even if you don’t plan to turn it on just yet › See http: //www. ripe. net/ripe/docs/ripe-554 for example » To allow deployment of new IPv 6 applications › e. g. true peer-to-peer applications with IPsec (a la Xbox); innovation at the edge » To improve staff / student experience › Bearing in mind that your users will now increasingly have IPv 6 at home IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Janet and IPv 6 » Janet has been running IPv 6 dual-stack since around 2003 › Undertook first IPv 6 tests in 1996/97 on then ‘ 6 bone’ network » Janet has a /32 from the RIPE NCC › 2001: 630: : /32 › Allocates /48’s from this prefix to organisations, by default › Two sites have a /44 – Oxford and Cambridge, presumably due to their colleges » Various Jisc/Janet services are IPv 6 -enabled › › › Jisc web site – www. jisc. ac. uk - via Cloudflare The. ac. uk DNS service Janet NTP servers eduroam RADIUS peerings … IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

High-level deployment steps? » Preparation: › Arranging IPv 6 connectivity (to Janet) › Getting IPv 6 address space, and forming an IPv 6 address plan › Deciding the scope of your deployment project – Don’t need to do the whole site from day 1 › Audit systems and software for IPv 6 capability; what s/w might need porting? » Deployment: › Enabling IPv 6 on the wire; routing IPv 6 on the core (not exposing IPv 6 to clients initially) › Ensuring security policy is applied; firewalls, IDS › Ensuring network management and monitoring is operational › Configuring supporting services, including DNS › Finally, enabling RAs on LANs where IPv 6 is required; add DNS entries IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Production deployment – projects? » No need for a full IPv 6 roll-out from day one › Not practical, and not required › UK universities to date are all deploying dual-stack; IPv 6 -only is a future aspiration » Options that a number of universities have used include › › › Public-facing services (e. g. , web presence, DNS servers); see RFC 6883 for advice Wireless network (e. g. , eduroam) Computer Science / research department(s) Computing Service department ‘Science DMZ’ is another emerging use case » In your case, you probably just want to enable your Grid. PP elements › But likely to need deployment in campus core first, whether Science DMZ used or not IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

What is Science DMZ? » It’s a design pattern published by Esnet in 2013 » Principles: 1. Optimise network for science 2. 3. 4. transfers; ‘onramp’ at edge Tune DTN endpoints Measure with perf. SONAR Apply security, efficiently » Then add IPv 6! › Quite a nice, constrained deployment area for a campus IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Getting an IPv 6 prefix » To deploy, you’ll need an IPv 6 prefix for your site » If your Janet-connected site doesn’t already have a prefix, it’s very easy to get a /48 from Jisc » Send an email to Janet Service Desk › to service@ja. net, or directly to ipaddress@ja. net » They will reply with a username and password for a web form – it’s a fairly simple process » See https: //www. jisc. ac. uk/contact IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Advice on address planning? » A very good guide available from the RIPE-NCC: › https: //labs. ripe. net/Members/steffann/preparing-an-ipv 6 -addressing-plan » Also see a video of a recent UKNOF talk: › https: //www. youtube. com/watch? v=l. WFc. Ik 4 o. MMU » Lots of ways to be “clever” › e. g. , embed VLAN IDs into the 16 -bits of subnet space » Can choose to plan by topology, or by administrative functions › May just assign a /64 IPv 6 prefix to each existing IPv 4 subnet › Should be able to route prefixes in a typical campus without aggregation › Might for example get a /56 allocated from your campus prefix for use by Grid. PP systems » Other considerations › ULAs (RFC 4193) currently not widely deployed; no evidence of use within UK universities › No need for IPv 6 PI space (or LIR status) for most Janet-connected sites IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Adding IPv 6 DNS entries » Adding IPv 6 DNS records is similar to IPv 4 › Just add IPv 6 AAAA (‘quad A’) records where you would normally add IPv 4 A records, e. g. $ dig -t any websites 1. ecs. soton. ac. uk. 1800 IN AAAA 2001: 630: d 0: f 104: : 80 e websites 1. ecs. soton. ac. uk. 1800 IN A 152. 78. 189. 43 » You need to arrange and configure forward and reverse DNS delegations › Using the same procedure as for IPv 4 › Reverse DNS sits under ip 6. arpa, using nibble-based delegations IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Host configuration? » Choices: › Manual address configuration (you may do this now for IPv 4, esp. for servers? ) › Use SLAAC › Use DHCPv 6 » Remember you’ll need to run RAs on the subnet router regardless of use of DHCPv 6 or SLAAC for addresses » In practice, in a typical campus dual-stack network you’ll see: › IPv 4 address by DHCP › IPv 6 address by SLAAC › Other configuration from (IPv 4) DHCP » If you run IPv 6 -only (no IPv 4) then you’ll need at least stateless DHCPv 6 › You may want to explore RFC 8106 (DNS resolver option for RAs) › IPv 6 -only is the end-game; question is at what point it’s practical to deliver › Ideally, don’t really want to be translating high-volume science traffic IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Other deployment considerations? » ULAs? › Probably no need; just use global addresses › Could use for systems that will never communicate externally › Not designed for IPv 6 NAT » Use of privacy addresses? › Should disable these for non-user systems; helps simplify management » Enabling IPv 6 for a service? › Enable IPv 6 on the system; add DNS entry to ‘advertise’ IPv 6 capability › Ensure all services running on that hostname support IPv 6 before adding the entry » Routing? › Might use static routing for a simple deployment › If using OSPFv 2 for IPv 4, you can run OSPFv 3 alongside for IPv 6, or use multi-AF IPv 4/IPv 6 support in OSPFv 3 IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Commercial IPv 6 Deployment Activity IPv 6 Deployment Status

IPv 6 deployment » Early IPv 6 adoption was largely by the academic networks » Commercial deployment was, until recently, slower › › Larger UK ISPs now starting to move – Sky was first with over 4 M users enabled, BT now ready See www. ipv 6. org. uk for information on UK IPv 6 deployment; running security workshop on July 12 th UK now at around 20% deployment; Janet sites still under 5% IPv 6 Though some high volume examples, such as approx 40 Gbps IPv 6 achieved by Imperial » Significant ongoing activity by content providers › e. g. Google, Comcast, Facebook, Netflix, Microsoft, and Akamai / Cloudflare CDNs » Measurement examples: › https: //labs. ripe. net/Members/mirjam/content-ipv 6 -measurement-compilation (RIPE NCC) › http: //www. worldipv 6 launch. org/measurements/ (ISOC World IPv 6 Launch site) IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Google IPv 6 statistics IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Google stats for UK, late 2015 IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Google stats for UK, Jun 2017 IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

2013: T-Mobile went IPv 6 -only on Android IPv 6 WAN now uses IPv 6 -only, with NAT 64/DNS 64 IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

2016: IPv 6 is dominant protocol in US mobile IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Cloud: significant recent progress IPv 6 @ HEPSYSMAN, RAL, 13 June 2017

Commercial IPv 6 Deployment Activity Email: tim. chown@jisc. ac. uk Questions?